PEAP and MSCHAPv2 with personal supplicant certificates

Renato Rodrigues rrodrigues at mt4.com.br
Mon Sep 26 16:16:08 CEST 2016


Good afternoon everyone.

I'm new to freeradius and I have been trying a few setups to implement
802.1x on our wired infrastructure + WPA Enterprise on our wireless
infrastructure.

We have a mixed environment with Linux and Windows 7 client machines and I
have successfully configured freeradius to authenticate to our AD server,
through both PEAP and EAP-TLS.
Over EAP-TLS the client certificate is being verified against the CA and on
the CN against the declared EAP username. I am still working on encrypting
the client certificate with personal passwords on each supplicant machine
(and I believe I'll succeed soon). I believe I'm close to replicating this
behavior over PEAP, which would add the MSCHAPv2 authentication after the
TLS validation, however this is not the full functionality that we desire.

The idea is to have individual certificates for each user, encrypted with a
personal password. The certificates being signed by the server CA with
usernames as CNs, which we are already able to check thanks to the great
templates available, and as the second step we'd like to have the user
authenticated (under the encrypted TLS connection) with MSCHAP against our
Active Directory. The current challenge is to lock the tunneled
authentication to the same username of the certificate step. This would
ensure (or at least make it harder) for privileged users to steal another
certificate and impersonate that user with that certificate. I'm not sure
if I have made myself clear, but we want to make sure users will only be
able to use their own certificates, on their own computers and not be able
to authenticate their credentials with a certificate from someone else's.

What has been troublesome for me is this last step, to lock the AD
authentication to the same user declared on the certificate. It seems to me
that the RADIUS server would be able to reject this kind of abuse, though
it might not be the way it is supposed to work. I couldn't find the right
documentation on how to do it, so anything close to it can help me. Our lab
right now is on a Debian server with freeradius 2.2.5, but we expect to put
it in production on a pfSense firewall (I should confirm soon which version
will be available there).

Thank you for your time,

Att,

*Renato Zippert*


More information about the Freeradius-Users mailing list